By Andrew Garcia
Microsoft 365 service owner – Subject Matter expert, ACTS
Think compliance is nothing to really worry about? That only suckers get hit with massive fines? So why is it that Google, tech leader extraordinaire, was fined $57 million for GDPR violations, and Yahoo $85 million?
Here are some other whoppers:
- Equifax: $575 Million
- Home Depot: ~$200 million
- Uber: $148 million
- Yahoo: $85 million
- Capital One: $80 million
- Morgan Stanley: $60 million
- British Airways: $26.2 million
- Marriott International: $23.7 million
As you can see, compliance is a big budget-busting deal, and when it hits, it can hit hard. That’s why you must protect your data and block breaches. Fortunately, Microsoft 365 has a number of tools and features to ensure your Microsoft cloud follows all the rules.
It all starts with the Microsoft 365 Compliance Center. Just like how the Microsoft 365 Admin Center is the center of M365 management and administration, the Compliance Center is the hub for all things compliance – tracking compliance posture and home to actions to insure your shop abides by the rules.
1. Use the Microsoft Compliance Scorecard
Similar to Microsoft Secure Score, the Compliance Scorecard determines an overall Compliance Score showing how well (or poorly) you are doing in reducing regulatory and data protection risks — and how much improvement is needed. To guide your compliance journey there is control mapping, and to ease implementation there are workflows to automate improvement actions.
2. Harness eDiscovery
When legal issues arise, data is often your first defense. That’s where eDiscovery comes in, which can hunt down data from OneDrive, SharePoint, Exchange mailboxes and public folders, Microsoft Teams, Skype for Business conversations, and Microsoft 365 groups – among other sources. This is crucial in a lawsuit, but just as valuable when compliance regulators comes knocking.
3. Apply User Permissions to Compliance Tasks
Compliance for organizations of any real size is a team sport, with various folks holding different responsibilities. The M365 Compliance Center Permissions page grants the ability to perform compliance tasks and do only those things the permissions allows. This includes roles such as eDiscovery Manager, Compliance Administrator, Records Management, Organization Management, Security Administrator, Reviewer, Security Reader, Supervisory Review and Service Assurance.
4. Threat Management
Compliance regulators aren’t necessarily looking over a company’s shoulder eying every action. They are most often called in when there is a breach, data leak, or other significant security incident. That is where the Compliance Center’s Threat Management tool comes in – stopping breaches and adverse security events from occurring keeps the regulators away and makes your environment safer at the same time.
Threat Management focuses on the danger from malicious software, spam (which often carries malicious payloads and hosts phishing attacks) and preventing data loss. At the same time, it safeguards your company’s reputation by monitoring domain accounts for undesirable and embarrassing activities and blocking spoofing.
Threat Management also:
- Encrypts your data and applies proper policies and the right settings.
- Secures and manages mobile devices reaching the M365 tenant through the use of access rules and policies. It can also wipe company data if there is a breach or other security incident.
IT can’t respond to a breach or compromise attempt if it doesn’t know it’s happening. Alerts are the answer, and should be set to track compliance related events – threat detection, data leakage, exposure of PII, etc. Set the rights alert, not so many that IT is overwhelmed, or too few making you miss critical compliance events.
6. Data Governance
The Compliance Center includes a Data Governance Center to manage data sources such as email to maintain proper and full records for the business, and can easily search content in the event of a lawsuit or regulatory event. For email, you can retain what you need by importing PSTs, and set data retention for how you want to keep it and for how long, including archiving for long term storage which is often a requirement of compliance rules such as for banks and other financial institutions. Most important is the supervision feature which insures that all communications and email both internally and with third parties aligns with your company’s rules and compliance regulations.
7. Information Protection
While compliance rules call for blocking breaches and other security defenses, they are fundamentally about protecting data. Here IT needs to discover through an audit the data that needs protection, classify it, and then secure it through its entire lifecycle.
8. Data Loss Prevention
Protecting regulated data means keeping it from leaving your organization – leaking out. For all companies, preventing this from happening is crucial. For those ruled by compliance, it can mean corporate life or death. If the fines don’t kill you, the loss of reputation just might.
The answer is to discover and track sensitive confidential data while in use, and keep it from being lost to hackers, malevolent employees, or simple negligence or accident.
9. Data Retention Through Labels
Knowing what data to retain is critical for compliance. Microsoft uses Microsoft 365 Retention and Sensitivity labels to do the job. Labels can be applied manually or automatically based on policies and definitions of sensitive data such as whether it contains particular keywords or metadata. Retention labels can be tied to records management to insure protection throughout the lifecycle.
10. Retention Policies
Once labels are applied to sensitive data, IT can create policies for how the data is retained or deleted. These policies also determine how retained data is used, edited, where it is kept – and for how long.
Auditing is critical for M365 activity and user behavior tracking, as well security and data breach forensics. It is just as vital for compliance. Auditing helps unearth areas of vulnerability and close them. Just as important for compliance is how you respond to a breach or other incidents. Auditing is an essential tool for security investigations, and to prove to compliance auditors how well you responded. Auditing can show the actions of end users, as well as detail the actions of admins and security staff during and after the event.
12. Data Classification
Classifying data is key to maintaining its compliance. With M365, data can be classified manually, through pattern mapping, or the more advanced machine learning.
With the manual approach, a person can literally decide or judge whether the data is sensitive or manually compare the data to pre-set labels defining what is sensitive.
Automated Pattern Matching is suited for large swaths of data, and finds and classifies data based on metadata and keywords, or compliance-regulated information such as PII.
Machine Learning is where the system is trained based on examples to know what is sensitive, then automatically classify it.
The Microsoft Compliance Center can get you started with six built-in data classifiers:
- Harassment: Looks for offensive language aimed at individuals based on items such as race, religion, ethnicity, gender, national origin, age, sexual orientation, or disability.
- Offensive Language: Looks for swears, slurs, threats and taunts, etc.
- Profanity: Language that is offensive, rude or embarrassing.
- Resumes: Discovers items such as resumes that contain personal data about educational, work experience, and other PII.
- Source Code: Finds code that could be proprietary intellectual property, and which can also represent a security risk.
- Threat: Language that includes threats of violence or other forms of personal, emotional or economic harm.
Other Compliance Center areas include:
- Content Search: Find compliance-regulated information with ease.
- Records Management: Maintain sensitive records with retention, scheduling, and proper storage to meet business, legal and compliance needs.
- Data Subject Requests: Key to GDPR, companies under these rules must find and report on personal information when a person requests it.
- Data Investigations: Easily find sensitive data that may have been accidently or maliciously moved or leaked.
(Andrew Garcia is a Microsoft 365 Service owner and subject matter expert with a focus on Cloud modern workplace transformations focused on Azure and Microsoft 365. He is an experienced cloud deployment and enablement specialist for ACTS guiding clients through long term strategic cloud journeys, along with security Harding and value discovery engagements)